about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/nginx.nix36
1 files changed, 25 insertions, 11 deletions
diff --git a/modules/nginx.nix b/modules/nginx.nix
index 2ac6d1b..6cb47b4 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -29,13 +29,16 @@ in
   config = mkIf cfg.enable {
     _module.args.libNginx.config = {
       internalOnly = ''
+        add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet";
+        access_log off;
         if ($internal != 1) {
           return 403;
         }
-        access_log off;
       '';
-      # FIXME This stopped working.
       appendHead = text: ''
+        brotli off;
+        gzip off;
+        zstd off;
         sub_filter '</head>' '${lib.concatStrings text}</head>';
         sub_filter_once on;
       '';
@@ -48,25 +51,36 @@ in
     services = {
       nginx = {
         enable = true;
+
         enableReload = true;
 
         package = pkgs.nginxMainline;
 
-        statusPage = true;
+        statusPage = mkDefault true;
+
+        recommendedOptimisation = mkDefault true;
+        recommendedProxySettings = mkDefault true;
+        recommendedTlsSettings = mkDefault true;
 
-        serverTokens = false;
+        recommendedBrotliSettings = mkDefault true;
+        recommendedGzipSettings = mkDefault true;
+        recommendedZstdSettings = mkDefault true;
 
-        recommendedBrotliSettings = lib.mkDefault true;
-        recommendedGzipSettings = lib.mkDefault true;
-        recommendedOptimisation = lib.mkDefault true;
-        recommendedProxySettings = lib.mkDefault true;
-        recommendedTlsSettings = lib.mkDefault true;
-        recommendedZstdSettings = lib.mkDefault true;
+        resolver.addresses =
+          let
+            isIPv6 = addr: builtins.match ".*:.*:.*" addr != null;
+            escapeIPv6 = addr: if isIPv6 addr then "[${addr}]" else addr;
+            resolvers =
+              if config.networking.nameservers != [ ] then
+                config.networking.nameservers
+              else
+                dns.const.quad9.default;
+          in
+          map escapeIPv6 resolvers;
 
         commonHttpConfig = concatStrings [
           ''
             access_log syslog:server=unix:/dev/log;
-            add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet";
           ''
           (optionalString (hasAttr "wireguard" this) (
             with config.nixfiles.modules.wireguard;

Consider giving Nix/NixOS a try! <3